[00:11.420 --> 00:16.160]  Hello, and welcome to the Aerospace Village panel discussion on building communications
[00:16.160 --> 00:21.840]  across the aviation ecosystem. Hi, let me introduce myself. My name is Katie Trimble-Noble,
[00:21.840 --> 00:26.560]  and I'm the Director of Product Security Incident Response and Bug Bounty at Intel.
[00:26.560 --> 00:32.260]  So, I run the Bug Bounty program as well as researcher outreach and engagement,
[00:32.700 --> 00:38.540]  and I've been really in the ecosystem for many, many years. Prior to coming over to Intel,
[00:38.540 --> 00:42.280]  I worked for the Department of Homeland Security, where I was the Section Chief for
[00:42.280 --> 00:47.280]  Vulnerability Management and Coordination. So, I've been doing this for several years.
[00:47.300 --> 00:51.760]  Throughout my career, I've coordinated and disclosed over 20,000 cybersecurity vulnerabilities.
[00:52.060 --> 00:56.500]  So, I really want to jump in right now. We don't have a lot of time today, and I want to
[00:56.500 --> 01:01.000]  go ahead and introduce our panel. So, we're going to ask everybody to go through and introduce
[01:01.000 --> 01:12.290]  themselves. So, Randy, can we start with you? Yeah. Hi, I'm Randy Talley. I'm a Senior Advisor
[01:12.290 --> 01:17.810]  with DHS's Cybersecurity and Infrastructure Security Agency. I've been working in aviation
[01:17.810 --> 01:28.050]  for quite a while as a pilot doing aviation security for DHS and have been on the, excuse me,
[01:28.050 --> 01:37.490]  the Tri-Chair, the DHS Tri-Chair for the Aviation Cyber Initiative for the last two and a half years.
[01:39.230 --> 01:41.250]  Awesome. Sid?
[01:42.770 --> 01:51.070]  Hi, everyone. My name is Sid Geji. I work at FAA. I'm a manager within the
[01:51.070 --> 01:57.510]  Office of Information Security and Privacy. I've been with the agency about 14 years,
[01:57.510 --> 02:05.370]  and in a variety of different roles. And I serve as the Tri-Chair for the FAA on the Aviation
[02:05.370 --> 02:12.070]  Cyber Initiative for the past two and a half years as well. I am glad to be here. It's my first year
[02:12.070 --> 02:19.830]  at DEF CON. Lots of people in the room, you know, virtually, and I look forward to learning from you
[02:19.830 --> 02:26.610]  all. So, glad to be here. Yeah, thanks. Welcome, Sid. Welcome to DEF CON. I hope this experience
[02:26.610 --> 02:31.550]  is awesome for you. You get a little bit of a different flavor this year. So, John?
[02:32.310 --> 02:37.850]  Hi, my name is John Craig. I'm the Chief Engineer of Cabin Network and Security Systems at the
[02:37.850 --> 02:43.370]  Boeing Company. I've been there for around 34 years. I've worked in all sorts of systems groups
[02:43.370 --> 02:49.930]  on commercial airplanes, and my current role has me working all the cabin systems, the networks on
[02:49.930 --> 02:55.450]  the airplane. I work the development of the connectivity links, and I'm responsible for
[02:55.450 --> 03:01.090]  product security for commercial airplanes. I'm also the Chairman of the Aviation ISAC,
[03:01.090 --> 03:10.030]  and really like to encourage people to look up that organization. It provides a great sharing
[03:10.970 --> 03:19.450]  opportunity in aviation. Thanks. Yeah, welcome. Jen? Hi, I'm Jen Ellis. I'm the VP of Community
[03:19.450 --> 03:27.030]  and Public Affairs at Rapid7, and I am probably the least of the aviation experts on this panel.
[03:27.030 --> 03:32.470]  When I say probably, I mean definitely. But I represent the voice of, I think, the security
[03:32.470 --> 03:38.970]  research community, and my job is to think about how do you leverage security research and insight
[03:38.970 --> 03:48.530]  and expertise to create social change that makes a more secure, safer world. Awesome, awesome.
[03:48.530 --> 03:55.810]  Jeff? Hi, I'm Jeff Troy. I'm the President of the Aviation ISAC. I've been in that role for about
[03:55.810 --> 04:01.010]  three and a half years. I also work for General Electric. I'm on the staff of the CISO at General
[04:01.010 --> 04:06.410]  Electric Aviation, and I'm on the Board of Directors of the National Defense ISAC, so
[04:06.410 --> 04:14.070]  very engaged in the information sharing world. Prior to that, I was with the FBI for 25 years and
[04:15.190 --> 04:23.270]  left there in the cyber division, you know, working the cyber criminal and national security cases.
[04:23.930 --> 04:30.630]  Glad to be here, thanks. Yeah, happy to have you. Alan? Hi, I'm Al Burke, and I'm an Associate
[04:30.630 --> 04:35.210]  Deputy Director in the Air Force's Cyberspace Operations and Warfighter Communications,
[04:35.210 --> 04:39.370]  and I'm also the Department of Defense Chair for the Aviation Cyber Initiative.
[04:39.370 --> 04:42.810]  I come out of the airspace and missile defense operations community,
[04:42.810 --> 04:47.330]  and my primary focus in the ACI is on improving cybersecurity
[04:49.370 --> 04:56.390]  initiatives and resilience of derivative aviation capabilities where the DOD,
[04:56.390 --> 05:03.270]  interagency, and industry objectives intersect. Awesome, awesome. I'm excited to hear more about
[05:03.270 --> 05:07.970]  that later. So now that we've all kind of introduced ourselves and we have a good idea
[05:07.970 --> 05:13.650]  who we are and where we come from, you can see we have a just jam-packed panel full of awesome
[05:13.650 --> 05:18.350]  aviation cyber and researcher professionals here. So I'm really excited about it. Let's,
[05:18.350 --> 05:22.350]  let's really just jump right in here. So today, in this panel, we're going to talk a little bit
[05:22.350 --> 05:27.430]  about some current activities between government, industry, security, the security community,
[05:27.430 --> 05:32.190]  the responsible disclosure community, some information sharing, and some improved
[05:32.190 --> 05:37.570]  collaboration and coordination across the aviation sector. So really jam-packed. I want
[05:37.570 --> 05:42.310]  to step back just a little bit and explain and go through just a little bit of the groundwork
[05:42.310 --> 05:49.330]  on what the Aviation Cyber Initiative is. And so Randy, can you talk really briefly about what the
[05:49.330 --> 05:55.350]  Aviation Cyber Initiative is in the tri-chair? You're good. You'd love to. Aviation Cyber
[05:55.350 --> 06:03.010]  Initiative actually started probably around five years ago, the 2016 timeframe. It was,
[06:03.010 --> 06:08.390]  it was originally focused on, on aircraft only. There was some testing that our DHS S&T
[06:09.370 --> 06:16.590]  folks were doing and, and was, was of interest to everyone. And we've, we've taken that,
[06:16.590 --> 06:22.430]  and a lot of things has happened since that initial surge or testing, if you will.
[06:22.430 --> 06:27.130]  The National Strategy for Aviation Security was published by the White House
[06:27.870 --> 06:34.950]  about a year and a half ago. We're getting close to two years ago. And it specifically was a,
[06:34.950 --> 06:41.790]  was an update. The NSTAS needed to be updated. It was dated back to 2016. It was old and it didn't
[06:41.790 --> 06:46.710]  include anything about cybersecurity, nor did it include anything about UAS. So that was a big
[06:46.710 --> 06:54.790]  upgrade, if you will, for, for the NSTAS. It also defined the aviation ecosystem, which,
[06:54.790 --> 06:59.950]  which really helped us out and kind of defines the swim lanes, if you will, for,
[07:00.470 --> 07:09.730]  for aviation security. So, so those, those six swim lanes as defined include the aircraft,
[07:09.730 --> 07:16.610]  obviously, but also talks about airports, talks about airlines, airlift, airlift being the,
[07:16.610 --> 07:23.910]  the cargo derivative, derivative or equivalent of the airlines, talks about actors, which can
[07:23.910 --> 07:28.990]  mean anything from training to, to third-party vendors on an airport. It could, it could be
[07:28.990 --> 07:33.610]  anything has to do with people. And it goes into aviation management, which is all the
[07:33.610 --> 07:38.770]  infrastructure necessary to run the aviation environment. So, so all of those things are
[07:38.770 --> 07:45.850]  swim lanes. It's a little easier for us, the Aviation Cyber Initiative, to, to, to talk about
[07:45.850 --> 07:51.830]  this when you're talking about the various swim lanes as opposed to a big amorphous blob. So
[07:52.730 --> 07:58.510]  what is the ACI? Well, I've talked a little bit about it initially. A year ago, we were
[07:58.510 --> 08:02.930]  chartered by the Secretary of Homeland Security, the Secretary of Defense, and the Secretary of
[08:02.930 --> 08:10.850]  Transportation to, to be a tri-chaired organization. So I have my DOD colleague,
[08:11.560 --> 08:18.290]  Al, and Sid, my FAA colleague, and we lead this effort across the whole of government
[08:18.820 --> 08:26.330]  to include industry and to include anybody that's really looking at aviation cybersecurity,
[08:26.330 --> 08:32.650]  to pull them in and try to reduce our risks and increase our resiliency across,
[08:32.650 --> 08:38.090]  across aviation. So I'm, I'm very proud to participate in that. That gives you a little
[08:38.090 --> 08:41.970]  background. I don't want to get too much in, in depth in it, but I think that that should
[08:41.970 --> 08:49.550]  answer your question. Yeah, really good. Thank you. So I want to talk a little bit about
[08:49.950 --> 08:56.670]  some, a recent situation that I kind of really feel was a really good example of a watershed
[08:56.670 --> 09:01.950]  moment within the researcher aviation and public sector communities. So this happened about a year
[09:01.950 --> 09:07.870]  ago. And Jen, RapidSeven made a pretty, it's a pretty interesting disclosure on civil aviation
[09:08.610 --> 09:13.410]  last year. Can you walk us through that and kind of give us your perspective on the process?
[09:13.410 --> 09:20.430]  Yeah, sure. Absolutely. So we have a researcher, Patrick Kiley, who has done a lot around
[09:20.430 --> 09:26.530]  transportation in the past. He has done a lot specifically with automotive. He's also a pilot
[09:26.530 --> 09:34.890]  and he's building his plane as one does apparently. And so as part of his sort of, you know,
[09:34.890 --> 09:40.110]  passion and enthusiasm in this area, he was investigating various things and he heard about
[09:40.270 --> 09:49.530]  a technology used in small aircraft that is well known in the security community as being
[09:50.180 --> 09:57.310]  sort of quite trivial to exploit. So the technology is CAN bus. And he heard that it was being used
[09:58.130 --> 10:03.250]  as a way of sort of connecting avionics. And the avionics, you know, being the parts that control
[10:03.250 --> 10:07.590]  the plane, he was like, well, that sounds quite dangerous. And he was well aware that a few years
[10:07.590 --> 10:12.150]  back there had been a lot of noise made around about CAN bus in automotive. And there'd been
[10:12.150 --> 10:16.250]  very widespread discussion in the automotive industry. And as a result, many automotive
[10:17.150 --> 10:21.850]  organizations either moved away from using CAN bus or introduced additional mitigations and
[10:21.850 --> 10:28.890]  protections. He had not heard of such a discussion in the aviation space. And actually on talking to
[10:28.890 --> 10:33.630]  more people who work in aviation, he found that, you know, generally security people seem to believe
[10:33.630 --> 10:37.790]  it was an issue, but said that they were having trouble in having this be talked about at the
[10:37.790 --> 10:43.810]  right levels and get enough attention to really make a change. So he did some research on that.
[10:43.810 --> 10:51.150]  And our goal with the research from the beginning was never to sort of shame a particular vendor or
[10:51.150 --> 10:57.330]  embarrass a vendor. This wasn't a, we're going to take a specific vendor system and uncover
[10:57.330 --> 11:02.730]  new vulnerabilities. It's much more of an architectural issue and a known issue. So the
[11:02.730 --> 11:07.930]  goal was to look at a few different systems, verify that CAN bus was in fact being used,
[11:07.930 --> 11:12.890]  and then talk about why that's an issue on a sort of strategic level and try and stimulate some
[11:12.890 --> 11:19.490]  discussion in the aviation community around it. As a result, and also because we were dealing with
[11:19.490 --> 11:25.910]  aviation and, you know, we recognize that aviation is a different space. It, you know, there is a
[11:25.910 --> 11:30.790]  sort of life and death element when you're talking about things to do with aviation. We were very
[11:30.790 --> 11:36.590]  cautious with how we approached it. Our typical disclosure process, which is documented and on
[11:36.590 --> 11:42.530]  the internet, is normally a sort of 60-day process, sometimes a bit longer. This process took a year
[11:42.530 --> 11:49.130]  and a half. And the reason was two things. One, we very much did not want to cause hysteria. You
[11:49.130 --> 12:00.770]  know, as somebody who flies a lot, I know how easy it is to get spooked on this stuff. And I,
[12:00.770 --> 12:04.150]  so we wanted to be very thoughtful with the approach that we took and we wanted to be very
[12:04.150 --> 12:07.830]  balanced and as neutral as possible. And the second thing is that we really did want to try
[12:07.830 --> 12:13.770]  and stimulate this discussion. That was our goal. So we wanted to try and involve as many people to
[12:13.770 --> 12:19.390]  participate in that process as possible and really sort of like immerse the community as much as we
[12:19.390 --> 12:29.170]  could. It was a somewhat mixed process. You know, there's not a lot of tried and true ways of doing
[12:29.170 --> 12:34.710]  this in aviation, even for an organization like Rapid7, who have done a lot of vulnerability
[12:34.710 --> 12:40.470]  disclosure, a lot of vulnerability research over the years. Aviation, you know, every sector is a
[12:40.470 --> 12:48.230]  little different and aviation is certainly also a little different. And what we found was that
[12:48.950 --> 12:54.510]  generally, people, including many of the people on this call, were very, very generous with their
[12:54.510 --> 12:59.650]  time and their insight, their expertise. So we had a lot of people who were willing to talk to us,
[12:59.650 --> 13:02.530]  which was great, because we were worried at the beginning that that wouldn't be the case.
[13:03.010 --> 13:10.590]  But we also found that there was a bit of a flavor in the discussion that came across of,
[13:10.590 --> 13:16.610]  you know, people sort of pointing out that we weren't aviation experts and that physical security
[13:16.610 --> 13:22.150]  would take care of this and that, you know, we weren't understanding how pilots work. Now,
[13:22.150 --> 13:27.570]  here's the thing, is certainly I'm not an aviation expert and I was very glad to have
[13:27.570 --> 13:32.550]  input and have expertise from people who really are immersed in the space. It was a great learning
[13:32.550 --> 13:38.590]  for me. But in general, I think anybody who works in cybersecurity is always going to be a little
[13:38.590 --> 13:45.670]  leery of any sector that really leans hard on physical security as a response to cybersecurity
[13:45.670 --> 13:52.110]  challenges. And while we were very aware, always very aware and acknowledged in the report
[13:52.110 --> 13:59.410]  that physical access was required to exploit this system, we're also very aware that these
[13:59.410 --> 14:03.790]  systems stay in place for a very long time and that motivated attackers will find ways,
[14:03.790 --> 14:07.430]  particularly when you're talking about smaller aircraft, which might not have quite the same
[14:07.430 --> 14:13.110]  degree of physical protection that, you know, sort of larger commercial aircraft might.
[14:13.110 --> 14:19.290]  And so, there was a little bit of that. And I think Patrick probably felt a little bit
[14:19.290 --> 14:23.810]  affronted every time he got told that he didn't know how pilots worked, since he may not be a
[14:23.810 --> 14:30.150]  commercial pilot, but, you know, he has flown planes. So, it was good to get the feedback.
[14:30.150 --> 14:37.090]  We were super grateful to have the ears and to have the feedback. And we certainly wanted to
[14:37.090 --> 14:42.450]  challenge our own assumptions. But what we did learn through the way is that, yes, it's always,
[14:42.450 --> 14:46.550]  with any Coordinated Vulnerability Disclosure, and we are big advocates for Coordinated
[14:46.550 --> 14:52.650]  Vulnerability Disclosure, it is critical and key to build empathy, to listen actively,
[14:52.650 --> 14:57.310]  to take on board feedback and to challenge your own assumptions, and to try and build trust. Like,
[14:57.310 --> 15:01.910]  I think, above all, trust is where you want to get to. But you also have to know when to
[15:01.910 --> 15:05.230]  hold the line on your, like, yes, challenge your own assumptions, but hold your line
[15:05.230 --> 15:09.750]  once you've done that and you've verified that your findings are as you think they are.
[15:09.750 --> 15:15.110]  So, it was a good learning process for us. And I think, in the end, the disclosure went well. One
[15:15.110 --> 15:19.170]  thing, just before I wrap, that I'll say is I think part of the reason the disclosure went so well
[15:19.170 --> 15:28.670]  was because of the role that DHS CISA played. I think that having the Vulnerability Management
[15:28.670 --> 15:35.710]  Center part of CISA, which Katie was kind of running out of time, having you guys independently
[15:35.710 --> 15:42.050]  verify the research findings and then decide that it was a significant enough issue to put
[15:42.050 --> 15:47.770]  out your own alert to coincide with our report, that, to me, was a pretty big deal. It was actually
[15:47.770 --> 15:53.250]  kind of a game changer, I think. I can't say whether we would have bowed to pressure if that
[15:53.250 --> 15:56.330]  had not been the case, but I'm certainly very grateful that we didn't have to make that choice.
[15:56.330 --> 16:01.210]  So, thank you. And thank you to everyone else on the call who helped educate us along the way and
[16:01.210 --> 16:06.850]  gave us their time and their feedback. Yeah, it's definitely a complicated situation. I think
[16:06.970 --> 16:11.470]  a lot of times it's difficult when you think about every sector is different and, you know,
[16:11.470 --> 16:16.170]  your ICS systems, your embedded systems, your safety systems, they're very complex. And doing
[16:16.170 --> 16:20.850]  that coordination up and down the hardware stack is a little different than you would necessarily
[16:20.850 --> 16:25.930]  see in, say, a digital services sort of platform or in a general, typical, traditional software
[16:25.930 --> 16:30.970]  platform. So, it's definitely learning, I think, for everyone. And there are some ups and downs
[16:30.970 --> 16:36.470]  in that. And I think that when you look at it, you have to take it for... we're going to look at
[16:36.470 --> 16:41.390]  climate versus weather. You know, if we look at one each individual disclosure, it's pretty tough.
[16:41.390 --> 16:46.670]  But in the end, we learned a lot. So, Randy, can you talk a little bit about... DHS got involved
[16:46.670 --> 16:51.030]  in this disclosure. Can you talk a little bit about how DHS got involved in this disclosure and
[16:51.530 --> 16:59.310]  what role DHS took? Sure. Yeah, we have the Vulnerability Disclosure Program that DHS runs.
[16:59.310 --> 17:03.530]  Great group of folks. As a matter of fact, I think Jay Angus is going to have a panel at the
[17:03.530 --> 17:09.370]  Aerospace Village on Vulnerability Disclosure. So, I invite you to go and listen to that.
[17:10.090 --> 17:15.670]  Great, great folks. They approached me... great folks, including you, Katie... approached me and
[17:15.670 --> 17:22.210]  said, hey, I've got an aviation thing. I need to get it to you. I need you to understand
[17:22.210 --> 17:29.910]  we need to know kind of where we go from here. So, I was able to get the briefing from Rapid7.
[17:30.250 --> 17:37.750]  Actually got to read their final draft report, if you will. And you have to realize in aviation,
[17:37.750 --> 17:44.250]  aviation is a big thing. So, I've got a big background in aviation, but the CAN bus,
[17:44.250 --> 17:52.190]  where it's installed, you know, different aircraft vendors, it's a huge thing to try to go,
[17:52.190 --> 17:59.590]  yeah, I got this. So, how important is it? Well, it did require physical access. So, I can stand
[17:59.590 --> 18:06.890]  down a little bit from that. I think everybody understood that. But, you know, what... how does
[18:06.890 --> 18:15.090]  it affect commercial aviation? How does it affect small aircraft or the general aviation folks?
[18:15.250 --> 18:20.390]  So, I said, look, we need to get it to two places. We need to get to the FAA. They're
[18:20.390 --> 18:24.790]  the regulator. They should be aware of this because they need to make a risk assessment if
[18:24.790 --> 18:32.350]  it's a big thing. We also need to get it to the Aviation ISAC. Aviation ISAC has their members.
[18:32.350 --> 18:39.470]  They can quickly get it out to aircraft manufacturers and actually the folks who
[18:39.470 --> 18:45.010]  are building systems and determine, hey, what can I do with this? Or what should I be doing with this
[18:45.010 --> 18:54.530]  in the future? I think this was the first time since the ACI has been stood up that we've had
[18:54.650 --> 19:00.450]  a vulnerability disclosure come to me. It's not the last time, but it was the first time.
[19:00.450 --> 19:07.150]  It was handled very well, I think, by Rapid 7. I think they understood going in, you know,
[19:07.150 --> 19:14.850]  the physical access aspect was a big deal, the acknowledgement of that. It wasn't the skies
[19:14.850 --> 19:22.270]  falling. It was, hey, this is an issue and we need to address it. And I love that part of it.
[19:23.190 --> 19:29.090]  I know our VDP folks, the vulnerability disclosure folks, were very interested in, hey, look, we need
[19:29.090 --> 19:35.470]  to send out an advisory. It's going to mirror what we did on the cars years ago. And it's also
[19:35.470 --> 19:42.530]  going to say, hey, it does require physical access. So then once again, not the skies falling,
[19:42.530 --> 19:48.810]  we found a vulnerability, but this is something you should be aware of when you're architecting
[19:49.150 --> 19:59.790]  a system. So it was very good for me. I enjoyed getting involved in it to this level. And then,
[19:59.790 --> 20:04.710]  you know, the focus for that vulnerability disclosure is, can we get, you know,
[20:04.710 --> 20:10.250]  how do we approach a mitigation? If we found a vulnerability, how do we approach a mitigation?
[20:10.470 --> 20:16.350]  How do we close that down and make the system more safe and secure? And I think we achieved
[20:16.350 --> 20:24.770]  that in this particular case. Great. Yeah, we go back to that physical security. And I think
[20:25.270 --> 20:28.830]  overwhelmingly, one of the big things that was very different from, say, this disclosure to
[20:29.390 --> 20:32.590]  a disclosure that we might see somewhere else is that this is more of an architecture
[20:32.590 --> 20:37.730]  into a lot of different things versus, say, one particular product and one particular version.
[20:37.730 --> 20:45.530]  And so just the impact was very awe-inspiring. We didn't know where things were. So we really
[20:45.530 --> 20:49.550]  had to rely on the subject matter experts. And we really had to bring in a lot of different people
[20:49.550 --> 20:55.430]  to ask and find out. And so, Sid, can you really quickly tell us about your work and how you were
[20:55.430 --> 21:00.270]  brought in and talked to some of your colleagues at the FAA and the safety that was involved in
[21:00.270 --> 21:11.970]  that? Yeah, sure. So, Randy brought this up last year. And I think I agree with you, Katie. I think
[21:11.970 --> 21:17.210]  it was a watershed moment. That's a good way to describe it. We had a researcher that came forward
[21:17.210 --> 21:25.510]  with a vulnerability. Rapid7 came to us and they said, hey, look, this is important. You know,
[21:25.510 --> 21:33.590]  this is an issue. And so it really helped kind of spur a set of conversations within the FAA,
[21:34.250 --> 21:39.370]  both from our ABS, which is this aviation safety organization within the agency.
[21:39.670 --> 21:46.370]  The CISO was on the call. And it helped us, I think, you know, really connect different offices.
[21:46.370 --> 21:52.470]  And so, granted, it's a physical security issue. And I believe the other thing that happened also
[21:52.470 --> 22:00.250]  was TSA was notified. That's the agency that's responsible for all of aviation security in the
[22:00.250 --> 22:07.790]  U.S. So it really helped us connect with different stakeholders and really laid the groundwork for a
[22:07.790 --> 22:13.870]  process. There's going to be a lot of back and forth in such situations between the safety
[22:13.870 --> 22:21.150]  engineers, the regulators, the researchers. And that's really, in my mind, very good.
[22:21.190 --> 22:26.550]  And it's healthy. We want to spur those types of conversations. Everybody's not going to agree
[22:26.550 --> 22:33.650]  on what exactly how big the risk is. And so it can get a little difficult to come to
[22:33.650 --> 22:38.910]  get to the same page. But I think having those conversations is really important. And I think
[22:38.910 --> 22:46.990]  this event helped us do that. So thanks to Rapid7, thanks to DHS and the ISAC for taking
[22:46.990 --> 22:52.790]  the lead on this. Yeah, yeah. So that actually leads us right into, Jeff, can you talk about
[22:52.790 --> 22:58.070]  the ISAC? And the ISAC is information sharing. And so if you really want to affect change,
[22:58.070 --> 23:01.950]  you need to get the information out there. You need to make sure that people understand. So can
[23:01.950 --> 23:08.590]  you talk to us about your involvement in this? Thanks, Katie. So first off, we were just really
[23:08.590 --> 23:15.930]  highly appreciative of Rapid7's approach to this and allowing us to be invited in. Similarly to
[23:15.930 --> 23:22.290]  Randy and the rest of the folks at the Aviation Cyber Initiative for being so inclusive, letting
[23:22.290 --> 23:29.290]  us kind of get this information and be able to pass it out to the members. So like has been
[23:29.290 --> 23:37.470]  mentioned earlier, the Aviation ISAC's role in these security disclosures is really a connector.
[23:37.970 --> 23:42.790]  Jen highlighted how important it is for communication to be happening during these
[23:42.790 --> 23:48.370]  events. And typically when they start, it's really hard for a researcher to find the right person in
[23:48.370 --> 23:54.270]  the industry. We also mentioned here, though, that this was a little different. This is a technology
[23:54.270 --> 23:59.910]  that's broadly used across the industry, and it's actually something a lot of other folks plug into.
[24:00.990 --> 24:07.110]  Many times when a researcher has a particular disclosure they want to make, it's about one
[24:07.110 --> 24:13.470]  type of product. There's one vulnerability in some design of a specific component.
[24:13.730 --> 24:17.690]  When researchers want to get a hold of that company, frequently they're calling us because
[24:17.690 --> 24:22.610]  if you want to get a hold of somebody in the industry, it's a lot harder nowadays actually
[24:22.610 --> 24:27.350]  to find the right person. And we just happen to have them all connected in our community.
[24:27.790 --> 24:32.710]  But this one was different, and it was a great learning experience for us all
[24:32.710 --> 24:38.690]  because there was a little bit of a shorter window on the industrial side. But as we look
[24:38.690 --> 24:43.610]  back at the event, it really made a lot of sense because there wasn't somebody that was one
[24:43.610 --> 24:47.830]  particular company to take a look at this. This was more of everybody saying, hey, wait a minute,
[24:47.830 --> 24:54.030]  we're all plugging into this. We really need to take a look at this as a larger issue and as a
[24:54.030 --> 25:01.270]  systems issue. In the end, we did, and it's been mentioned as well, there was a physical security
[25:01.270 --> 25:07.070]  component, that is one component. But in the whole concept of layered security, physical
[25:07.070 --> 25:13.450]  security is just one layer. And when you find that there is an issue inside of any layer,
[25:13.450 --> 25:19.890]  the objective in a really good layered concept is to harden that layer. And this was a really
[25:19.890 --> 25:24.650]  good example of that. It's like, it doesn't matter if it's embedded in a lower layer,
[25:24.650 --> 25:30.190]  let's get every layer as hard as it can possibly be and make it difficult for anyone to make that
[25:30.190 --> 25:37.210]  complete penetration. So I would agree with everyone. I think this was a really good example
[25:37.210 --> 25:43.750]  of how to do it right. And I think what was really impressive for us, too, as the trust
[25:43.750 --> 25:49.450]  gets built across the engagement between the researchers and the industry, it was really good
[25:49.450 --> 25:55.510]  to see what Jen talked about was the perspective right from the start. Hey, we don't want to get
[25:55.510 --> 26:01.890]  people overly excited or hysterical about something. We really need to understand in the
[26:01.890 --> 26:07.630]  whole equation of risk, you know, how big of a risk is this? And, you know, how does that risk
[26:07.630 --> 26:13.190]  get managed? And their approach that they took, that cautious approach of really trying to get
[26:13.190 --> 26:23.050]  that understanding and validation was really critical to the successful outcome. Awesome.
[26:23.050 --> 26:30.010]  So I think this is a great opportunity and it was a great example of pieces that didn't ever,
[26:30.010 --> 26:34.090]  you know, typically work together and who were new to each other and maybe didn't even know that
[26:34.090 --> 26:38.530]  the other existed and were able to really pull together. And there were some ups and downs. And
[26:38.530 --> 26:43.470]  in the end, Rapid7 put out their vulnerability information, DHS put out a complementary
[26:44.290 --> 26:49.150]  security advisory, and I think it sort of laid the groundwork. So now that we kind of talked
[26:49.150 --> 26:54.350]  about that, I really want to pivot to the current. So there are some really awesome progress being
[26:54.350 --> 27:00.470]  made in the aviation and researcher communities. And it's hard to even pull a couple topics. When
[27:00.470 --> 27:05.610]  I sat down to kind of go through and say, what can we talk about here? There were just so many
[27:05.610 --> 27:11.270]  topics out there. The community is moving so rapidly. And I think even the aviation village
[27:11.270 --> 27:16.510]  itself is something that 10 years ago, we wouldn't have even thought of. We could pull together and
[27:16.510 --> 27:22.070]  do that. And so there's so many wonderful things. John, Boeing is getting involved in some really
[27:22.070 --> 27:26.690]  awesome community outreach and community engagement. Can you talk a little bit about the tech council?
[27:27.530 --> 27:33.730]  Yeah, I'll start off with, you know, aviation is a unique space. And we have a very strong safety
[27:33.730 --> 27:39.890]  culture. We have a unique development process. And, you know, to some extent, I think we view
[27:39.890 --> 27:46.290]  ourselves as being special. And, you know, Jen kind of mentioned earlier that when people come
[27:46.290 --> 27:51.450]  from outside that community, the natural antibodies kick in and we find reasons to kind
[27:51.450 --> 27:57.770]  of discount the feedback. I've been working in this space for 10 to 15 years. And, you know,
[27:57.770 --> 28:04.530]  reality kind of kicked in on me when the Stuxnet virus was disclosed. And it broke all my,
[28:04.530 --> 28:10.670]  you know, stereotypes of aviation and how we're unique. You know, and oftentimes I feel like an
[28:10.670 --> 28:16.590]  evangelist out trying to spread the good word. Well, last year was a significant milestone,
[28:16.590 --> 28:22.290]  and I'd say turning point for Boeing. A researcher got a hold of some of our executable code,
[28:22.290 --> 28:28.170]  reversed engineered it, and disclosed things that were actually quite surprising. I think
[28:28.170 --> 28:34.610]  we were surprised with the tools that allowed them to actually go in and, you know, kind of view the
[28:34.610 --> 28:42.490]  code in, you know, in a space where we didn't think was really possible. We actually spent a
[28:42.490 --> 28:48.310]  lot of time, several months, analyzing the code. We were in our lab. We have very extensive labs
[28:48.310 --> 28:53.710]  that replicate the airplane quite accurately. At the end of it, we actually went out onto an
[28:53.710 --> 28:59.530]  airplane. We brought all the systems engineers out to view it. We went through a bunch of scenarios.
[28:59.530 --> 29:06.190]  Some of the claims, we actually went well beyond the claims. We did a pretty thorough test on a 787.
[29:07.670 --> 29:14.050]  And at the end of that, our response, you know, not knowing, you know, it wasn't the real intent,
[29:14.050 --> 29:18.610]  but I think it was viewed as hostile. And I got that feedback from several folks,
[29:20.110 --> 29:25.870]  you know, in the aerospace village. And so after our analysis disclosure, we held a meeting with
[29:26.010 --> 29:30.230]  a lot of key stakeholders. A lot of the airlines had a lot of questions for us. You know, what do
[29:30.230 --> 29:35.790]  you think of this? Is it real? You know, we gave our synopsis. A lot of the government folks and
[29:35.790 --> 29:39.690]  Katie were in one of the meetings with us. We had a spirited discussion with lots of different
[29:40.230 --> 29:46.330]  government people, as you remember. And in that meeting, Katie kind of said, you know, John,
[29:46.330 --> 29:51.970]  you really need to reach out to these folks and I can help you if you'd like. So we took that,
[29:51.970 --> 29:57.250]  went internal to Boeing and we had some spirited discussions because this is really uncomfortable.
[29:57.250 --> 30:03.190]  You know, changing how we've operated for a long time is not the easiest thing. But at the end of
[30:03.190 --> 30:08.650]  the day, we said, you know what, we need to do this because these people are out looking at our
[30:08.650 --> 30:13.670]  designs. They're not, you know, I don't think there's any ill will, but we need to embrace
[30:13.670 --> 30:20.330]  them and we need to learn from them. And so we set up this tech council and we had several meetings
[30:20.330 --> 30:25.790]  trying to level set a little bit. It's a little hard via the phone. And so after the RSA conference
[30:25.790 --> 30:31.590]  in San Francisco in February, we invited them all back to Boeing. And at Boeing, we kind of
[30:31.590 --> 30:37.050]  went over some of our design methodologies and, you know, met face to face. And that's a real,
[30:37.050 --> 30:43.530]  it's real powerful to get to know people at a much more personal level. We took them into our labs,
[30:43.530 --> 30:48.890]  showed them what we're capable of. We even arranged time on a 787 simulator. In fact, one of the
[30:48.890 --> 30:54.330]  gentlemen was a military pilot and we set up kind of a difficult landing for him. High winds and,
[30:54.750 --> 30:59.390]  you know, low light conditions, et cetera. He made it down good, which was positive.
[30:59.510 --> 31:05.190]  But I think it went a long way to mending the adversary relationship. So as part of that, we
[31:05.190 --> 31:13.050]  have part of this team, they have a, some folks have a claim they'd like to investigate with us.
[31:13.050 --> 31:17.010]  And we're in the, we were in the process of bringing them into Boeing, into our lab to kind
[31:17.010 --> 31:22.510]  of evaluate that when, you know, the COVID hit and that kind of slowed us down a little bit. But,
[31:22.510 --> 31:27.810]  you know, I really want to embrace this and I want to expand it. And, you know, at DEF CON,
[31:27.810 --> 31:32.310]  we actually plan on bringing, you know, real hardware, setting up some kind of
[31:32.310 --> 31:38.610]  capture the flag event to kind of embrace this community much more. Another aspect of this,
[31:38.610 --> 31:45.250]  we actually matured our vulnerability disclosure process. It is now very easy to find on the Boeing
[31:45.250 --> 31:50.030]  website. At least I hope it is for folks. I was able to find it. And you can send your
[31:50.030 --> 31:56.990]  vulnerabilities encrypted. We provide that means. And we're starting to receive a lot of stuff in.
[31:57.050 --> 32:02.770]  And a lot of things that come in are shared between all the stakeholders. And as the product
[32:02.770 --> 32:08.310]  guy for the airplane, we see all of it. And we actually evaluated surprising vulnerabilities
[32:08.310 --> 32:14.370]  that are in the IT space. A lot of these systems are used in some form in aerospace. And so we have
[32:14.370 --> 32:20.970]  to evaluate all those and see if we have the same issue that maybe the original claim came in with.
[32:21.270 --> 32:24.970]  So I'll just close, you know, saying we're still crawling here. I'm really hoping to get
[32:24.970 --> 32:31.310]  more engaged. You know, I think it's critical that we interject this into our designs. It's
[32:31.410 --> 32:36.390]  a different view. And, you know, it's always powerful to get diverse opinions and diverse
[32:36.390 --> 32:41.070]  perspectives. And those outside of aviation probably are more powerful at looking at our
[32:41.070 --> 32:50.270]  designs than we may be. So thanks. Yeah, awesome. I know I remember sitting in some of those meetings
[32:50.270 --> 32:55.850]  and I remember thinking to myself, why don't we all just talk? You know, why can't we just,
[32:55.850 --> 32:59.310]  why don't we all just talk? And I can imagine that there were some people in that room who thought
[32:59.310 --> 33:06.490]  that I was just that crazy lady from Homeland Security with these wild dreams of working
[33:06.490 --> 33:10.710]  together. But I'm hopeful that we're going to see more of that and that that has actually worked out
[33:10.710 --> 33:18.990]  really well. So yeah, you know, we're still in steps here. And I would like to, you know,
[33:18.990 --> 33:22.790]  commend Boeing because Boeing did all the hard work on that. You know, the hardest part is
[33:22.790 --> 33:28.350]  getting going and taking all of the steps that needed to happen in order to bring
[33:28.350 --> 33:32.570]  people in and really get down into the labs and get into the weeds. And that takes a
[33:32.570 --> 33:36.250]  lot of effort. And so I commend Boeing for that.
[33:39.070 --> 33:42.530]  So Sid, can you talk a little bit about the FAA structure
[33:42.530 --> 33:47.670]  and the work with the tri-chair and some of the things that you've been working with?
[33:51.470 --> 33:59.390]  Yeah, sure. Thanks, Katie. I agree with everything that has been said on this great panel. I think,
[33:59.390 --> 34:07.490]  let me make a few points. You know, we kind of oversee and regulate civil aviation. So we have a
[34:07.490 --> 34:14.470]  unique role. We are the premier aviation agency in the US. We have authority over all the aircraft
[34:14.470 --> 34:21.670]  that fly in the US and all the airmen, all the pilots, we certify them, we certify all the
[34:21.670 --> 34:28.170]  aircraft. And we also conduct air traffic control, all the airplanes that take off and land are
[34:28.710 --> 34:36.730]  controlled by the FAA. So it's a pretty big role. It's a pretty big responsibility. I think safety
[34:36.730 --> 34:47.470]  is our focus and we are a safety agency. And so the way I see it is that cybersecurity is part
[34:47.470 --> 34:56.070]  of our safety responsibility. And I run into that all the time. As a tri-chair for the ACI,
[34:56.070 --> 35:02.390]  it's really a big task is culture change. We are trying to bring that culture of security
[35:02.390 --> 35:09.870]  and looking at how to improve the security of the whole ecosystem into an agency that's focused
[35:10.470 --> 35:17.390]  primarily on safety. So in terms of vulnerability disclosure, we don't have like a formal program.
[35:17.510 --> 35:23.870]  We don't have like a way that you all the researchers can come forward and directly to us.
[35:24.710 --> 35:31.510]  We rely on DHS, which is our partner through the ACI. But that does not mean that we are not open
[35:31.990 --> 35:40.490]  to all of your ideas. I think the fact that I'm here on a panel, you know, I'd love to hear from
[35:40.490 --> 35:48.610]  you all. And we'd love to have that dialogue about what the risk is and what some of the
[35:48.610 --> 35:53.470]  vulnerabilities are. So I want to echo what has been said earlier. I think trust building
[35:53.470 --> 35:59.730]  is incredibly important. We all should come together. And like Katie said, we need to be
[35:59.730 --> 36:07.790]  talking all the time and exchanging notes and exchanging ideas. Let me share a quick story.
[36:07.790 --> 36:15.650]  About two years ago, I was at the Pentagon. And DoD has this team called Gen5. That's basically
[36:16.150 --> 36:21.110]  a bunch of very smart people, just like you all, that were looking at some of the vulnerabilities
[36:21.710 --> 36:28.330]  within ADSP, which is our system for surveillance-based air traffic control. It's
[36:28.330 --> 36:33.670]  satellite-based, I'm sorry, air traffic control. We are moving away from radar into satellite-based
[36:33.670 --> 36:42.590]  GPS radar control. And so they had worked on this project for about a year to look at some
[36:42.590 --> 36:48.050]  of the vulnerabilities within ADSP, which is a huge investment for the FAA and for the American
[36:48.050 --> 36:56.410]  public. And I was with the CISO at the time and some other executives from FAA. And we just thought
[36:56.410 --> 37:02.970]  it was fantastic. I mean, to invite these researchers into the Pentagon and have them test
[37:04.390 --> 37:10.670]  an aviation system and hear some of their ideas. They actually came out with a report,
[37:10.670 --> 37:16.450]  which was super insightful. And we took it all the way to the National Security Council.
[37:16.890 --> 37:22.310]  And that has formed a basis for a lot of the follow-on work that's going on within ACI
[37:22.830 --> 37:29.310]  for ADSP. So, you know, I told my boss, this is something we need at FAA, too. We need a
[37:29.310 --> 37:34.610]  team like this to come in and test our systems and bring a completely different perspective
[37:35.390 --> 37:42.910]  than what the agency is used to. So that coming together of the researchers,
[37:42.910 --> 37:50.370]  of the research community, of the safety folks, you know, of the air traffic controllers and
[37:50.990 --> 37:56.290]  the IT people, all that has to happen because it's really about bringing all those disciplines
[37:56.290 --> 38:02.310]  together to tackle what is a very difficult sort of problem. I mean, we are looking at risks
[38:02.310 --> 38:08.670]  across the ecosystem. And so that conversation needs to happen between the different disciplines.
[38:08.710 --> 38:15.050]  I just did an online cyber course through Harvard a month or so ago. I finished it.
[38:15.050 --> 38:19.830]  It was like an eight-week class. Let me just share a couple of things. Every organization,
[38:20.750 --> 38:25.670]  including aviation, has operational risks, reputational risks, and legal risks when it
[38:25.670 --> 38:33.190]  comes to cybersecurity. So a cyber breach can cause huge damage, millions of dollars in terms
[38:33.190 --> 38:39.710]  of your operations, in terms of your reputation. Something to think about. Second is that we need
[38:39.830 --> 38:45.550]  a culture within cybersecurity where we reward people for being skeptical. You know, you don't
[38:45.550 --> 38:52.650]  want to just kind of reward people who are sort of agreeing with what's going on. You want people
[38:52.650 --> 38:57.650]  to look skeptically at what's going on and tell you a different way to do things. We want to reward
[38:57.650 --> 39:03.910]  people who want to break things because that can lead to a more cyber secure posture. And a lot of
[39:03.910 --> 39:12.490]  the challenge that we face today as organizations has to do with information sharing, has to do with
[39:12.490 --> 39:18.430]  culture change, and trust building. And so those are the tasks that we are all involved with.
[39:19.870 --> 39:23.990]  So information sharing should be happening all the time. And that's what the ACI is
[39:23.990 --> 39:29.570]  designed to do within the government, between our three big departments and with industry.
[39:30.210 --> 39:36.350]  I want to... the last thing I want to say is also the fact that the aviation ecosystem faces
[39:37.610 --> 39:42.950]  a lot of state and non-state cyber threats. The threats are very real.
[39:43.530 --> 39:47.890]  There are known vulnerabilities within this ecosystem. We all recognize that.
[39:48.430 --> 39:55.330]  So that can impact the operations within the national airspace and civil flights.
[39:55.930 --> 40:01.290]  And the fact is we got to tackle those threats and risks together.
[40:01.670 --> 40:10.830]  And so the FAA issues cyber situation reports today which address specific equities across
[40:10.830 --> 40:17.610]  this ecosystem. And some of those are externally tailored to partners outside of FAA. So those
[40:17.610 --> 40:28.250]  include other federal agencies and industry partners. And that's what I have. So thanks, Katie.
[40:29.090 --> 40:35.210]  Yeah, awesome. It's really exciting to kind of hear some of the things that get passed around
[40:35.210 --> 40:39.470]  and just really are exciting initiatives. The Pentagon has, I know, been deeply involved in
[40:39.470 --> 40:45.630]  aviation for, you know, I was in the Air Force, so, you know, since forever. And so it's really
[40:45.630 --> 40:52.670]  great to see these very, very established organizations get excited about working with
[40:52.670 --> 40:59.070]  research and breaking things. That just makes my day. So these are really awesome initiatives and
[40:59.070 --> 41:03.230]  I'm really excited about them. I want to move to the future for a little while. We kind of talked
[41:03.230 --> 41:07.050]  about the past and we talked about the current and then I want to kind of talk about the future
[41:07.050 --> 41:13.410]  really quick. And so I think the DOD's got kind of a really fun new initiative that I'd love to
[41:13.410 --> 41:18.530]  hear more about. I think it's called the INFACTOR. So Al, can you talk to us about the INFACTOR?
[41:19.090 --> 41:23.350]  Hey, sure, Katie. Hey, just as a little background before we dive right into the
[41:23.350 --> 41:28.270]  INFACTOR. So we talked a lot about identifying and sharing cyber vulnerabilities, sharing
[41:28.270 --> 41:33.950]  information. But going forward, the future is that we need to work together to close those
[41:33.950 --> 41:40.210]  vulnerabilities using a threat-informed, risk-based approach. And that points us to two trends
[41:40.210 --> 41:46.830]  the aviation ecosystem must address. You know, like Sid said, the first trend is the cyber threat
[41:46.830 --> 41:52.930]  to aviation is real and growing. So it's highly likely that advanced nefarious cyber actors, to
[41:52.930 --> 41:58.810]  include adversary nation states, will use cyberspace to steal our aviation intellectual property
[41:58.810 --> 42:04.870]  and to conduct cyber operations to damage the reputation of U.S. and allied aircraft and
[42:04.870 --> 42:09.970]  aviation industries, to gain a competitive advantage for their own industries. And so from
[42:10.110 --> 42:14.890]  a national security perspective, improving the cybersecurity and resilience of our own
[42:14.890 --> 42:20.790]  nation's aviation ecosystem to counter this threat is key. And for the Department of Defense, we have
[42:20.790 --> 42:25.970]  to be able to project power, defend the homeland, and protecting critical aviation infrastructure
[42:25.970 --> 42:31.150]  is part of that. But there's one thing we acknowledge. This challenge is not something
[42:31.150 --> 42:37.810]  the Department of Defense or the government can do on its own. So recognizing these two trends,
[42:37.810 --> 42:42.370]  recognizing that trend, you know, requires an increase in a public and private sector
[42:42.370 --> 42:48.130]  collaboration or whole-of-nation approach. I don't know if you're aware, but Congress recently
[42:48.770 --> 42:54.890]  chartered the Cyberspace Solarium Commission. And in this commission report, it identified
[42:55.330 --> 43:00.970]  the need to increase public and private sector collaboration. And the goal is to improve our
[43:00.970 --> 43:08.490]  speed and agility in addressing cybersecurity and resilience threats. And so the N-FACTOR that you
[43:08.490 --> 43:14.170]  referred to, which stands for the National Federation of Aviation Cyber Test Organizations
[43:14.170 --> 43:20.670]  and Researchers, the N-FACTOR, is a great example how the Aviation Cyber Initiative is pushing to
[43:20.670 --> 43:25.950]  work on this. And so the thing that the Aviation Cyber Initiative does is, you know, we bring
[43:25.950 --> 43:32.390]  together that whole-of-nation approach, bring together the cyber experts from federal agencies,
[43:32.390 --> 43:40.110]  state agencies, industry, our federally funded research and development centers, our university
[43:40.110 --> 43:48.310]  affiliated research centers, our national labs, all working together in the N-FACTOR to achieve
[43:48.310 --> 43:54.950]  three lines of effort. Those lines of effort are, one, is catalog, collaborate, and connect.
[43:55.010 --> 44:01.210]  And so, you know, just at a top level, we talk about catalog, our big push is to create a
[44:01.210 --> 44:07.770]  national-level aviation cyber resource guide. And the goal of this resource guide is to be
[44:07.770 --> 44:14.270]  an online, accessible, and searchable database of aviation cyber research, development, test,
[44:14.270 --> 44:21.510]  and evaluation resources, expertise, facilities, and capabilities. And so, if you're part of the
[44:21.510 --> 44:27.830]  N-FACTOR and you're working on initiative to counter, to look at cyber fuzzing or any of
[44:27.830 --> 44:34.570]  these other kind of cyber trends, you could go to the resource guide and it'll give you a list of
[44:34.570 --> 44:39.830]  who's working in that space, what kind of capabilities they have to test, and what, and
[44:39.830 --> 44:46.030]  more importantly, how you can get to hold, get a hold of them to further collaborate. And so, the
[44:46.030 --> 44:52.370]  collaboration is our second line of effort. You know, the goal of the collaboration is to create
[44:52.770 --> 44:58.470]  a persistent collaboration forum where these cyber experts, this whole nation approach, can get
[44:58.470 --> 45:06.030]  together and be able to spotlight or showcase capabilities, share information on projects,
[45:06.030 --> 45:11.790]  and more importantly, if a, like, let's say, for example, you're working a project on intrusion
[45:11.790 --> 45:17.110]  detection, cyber anomaly and intrusion detection, you can come to the N-FACTOR and present your
[45:17.110 --> 45:26.190]  project and give us asks. And in the ask, the goal for the ask is that the N-FACTOR try to close
[45:26.190 --> 45:31.930]  those gaps. And when we talk about closing those gaps, we call that a connect. And that's the third
[45:31.930 --> 45:39.030]  line of effort, to connect projects, efforts, research papers with resources to do things like
[45:39.030 --> 45:45.730]  test, validate, and move forward projects. And just a couple examples. You know, on the
[45:45.730 --> 45:50.930]  collaboration side, Johns Hopkins APL did a presentation on how they were doing cyber
[45:50.930 --> 45:58.310]  modeling on various aircraft. And the aircraft they were doing the modeling on, it so happened,
[45:58.310 --> 46:03.790]  since John Craig was on, they were Boeing aircraft. And so, you know, after the meeting,
[46:03.790 --> 46:08.190]  John and his team got together and said, hey, we probably need to know more about this modeling
[46:08.190 --> 46:13.610]  effort. And oh, by the way, maybe we can work with Johns Hopkins to make it better. And so right now,
[46:13.610 --> 46:18.930]  that's what we call a connect. We're working to bring those Johns Hopkins APL and Boeing together
[46:18.930 --> 46:24.510]  to talk about how they can enhance that cyber modeling. And then on the resource sharing side,
[46:24.510 --> 46:28.850]  we had a project come forward that was working on a cyber anomaly and intrusion detection
[46:28.850 --> 46:36.230]  capability with AI machine learning based. And they needed a data tap to pull data from 1553 bus.
[46:36.230 --> 46:40.370]  They didn't have it. And they also needed large quantities of data to support,
[46:40.370 --> 46:45.870]  you know, training a machine learning and AI capable tool. And so we connected them with
[46:45.870 --> 46:52.050]  the Air Force Research Lab and provided a tool called Vampire, which is a aviation bus tap,
[46:52.050 --> 46:56.510]  and shipped that to them. And then Johns Hopkins APL again came through,
[46:56.510 --> 47:03.270]  and they've been working on a data sharing effort that's been fantastic in terms of connecting. So
[47:03.270 --> 47:08.310]  those are the kind of things that the end factor is trying to do. And we're trying to do it at
[47:08.310 --> 47:14.050]  scale. And so that leads us to the, I'm sure people are saying, so how do you participate
[47:14.050 --> 47:20.230]  in the end factor? Well, we got a couple asks. You know, first off, we're focused right now on US
[47:20.230 --> 47:26.690]  organizations. So if you want to be a part of the end factor, what we ask you to do is three things.
[47:26.690 --> 47:34.590]  First, we want you to one, agree to populate our aviation cyber resource guide with your
[47:34.590 --> 47:42.670]  company's capabilities and resources. So that's one. The second one is, we want you to participate
[47:42.670 --> 47:50.170]  in our tight 90-minute monthly forum. It's the end factor collaboration forum. And our goal is
[47:50.170 --> 47:56.570]  to be able to showcase all our major participants as we go forward. And to participate in follow-on
[47:56.570 --> 48:02.170]  meetings, you know, should those connects happen. And the third one is, that is the connect part.
[48:02.170 --> 48:08.330]  That if you have capacity, and if you have resources, we would like for you to help connect
[48:08.330 --> 48:15.790]  others to serve as a mechanism to accelerate our cyber innovation in the aviation ecosystem.
[48:15.790 --> 48:22.370]  And so that's the kind of the three asks. I'll tell you, just yesterday, we had nearly 100
[48:22.370 --> 48:29.170]  participants from across more than 60 organizations participate in the end factor forum. Our FAA tech
[48:29.170 --> 48:36.930]  center and DoD guides are working to deliver the aviation cyber resource guide by the end of August,
[48:36.930 --> 48:42.310]  at least the first instantiation of it. It's based on the FAA's technical capabilities library.
[48:42.550 --> 48:48.990]  And I would say, you know, in fact is growing. And I think it's exceeding many of our expectations.
[48:49.350 --> 48:55.010]  And what we want to do is get more people to work with us. So we can do what I like to say,
[48:55.010 --> 49:00.670]  collaborate with effect. And so that's, that's the end factor going forward,
[49:00.670 --> 49:05.470]  working to address the threat, and to increase our public and private sector cooperation
[49:05.470 --> 49:11.210]  across the aviation ecosystem. So Al, let me ask you really quickly, is that,
[49:11.210 --> 49:15.970]  is this initiative specific to military aviation, or is it open to civil aviation as well?
[49:15.970 --> 49:21.970]  No, it's, it's, it's not limited to military aviation. In fact, it's not a DoD initiative.
[49:22.190 --> 49:29.170]  It's an aviation cyber initiative, initiative. And so, you know, we have a charter to engage
[49:29.170 --> 49:34.450]  industry. And so we're, we're working to do that in spades. And, you know, at least a couple
[49:34.450 --> 49:40.310]  times a week, we're reaching out to bring our industry partners and really small businesses,
[49:40.310 --> 49:46.110]  you know, which we think the small business, businesses are real powerhouses in innovation.
[49:46.150 --> 49:50.410]  And, you know, when we can connect them with the larger big companies like the Raytheons and
[49:50.410 --> 49:55.110]  Boeings of the world, then we can, we believe that we'll be able to accelerate aviation
[49:55.110 --> 49:57.830]  cybersecurity capabilities.
[50:00.240 --> 50:09.040]  Awesome, awesome. So we have about eight minutes or so left. And so I really want to
[50:09.940 --> 50:17.160]  close up with some of our closing thoughts, and some just kind of words of wisdom and
[50:17.160 --> 50:22.780]  things that we've learned from each one of the participants. So Randy, can we start with you?
[50:22.780 --> 50:27.240]  What are your, what are your words of wisdom, things to take away, closing thoughts?
[50:28.200 --> 50:34.220]  Things to take away? Well, I'll tell you what, Katie, I'm super proud of what we're doing under
[50:34.220 --> 50:41.380]  ACI. I think it's, I think, I think it's time that we reach out across the entire ecosystem
[50:41.380 --> 50:47.360]  and try to pull people together and have those conversations, address those vulnerabilities.
[50:47.360 --> 50:53.960]  And, and I think, frankly, I think this is beginning to work. You know, working for DHS
[50:53.960 --> 51:00.100]  CISA, you know, I've got that, that outward look. I'm looking to industry. I can pick up the phone
[51:00.100 --> 51:05.660]  and call virtually anybody on this panel at any time. And if they're not in a meeting, which they
[51:05.660 --> 51:11.400]  always are, they'll answer the phone and we'll have a conversation. This is, this is collaboration
[51:11.400 --> 51:17.840]  at its finest. And, and I gotta say, you know, and I know we're limited on time, so I'll, I'll
[51:17.840 --> 51:24.340]  stop it here. I love my job. And that, and these are the reasons why I love my job. The people on
[51:24.340 --> 51:28.720]  the panel, the things that we're trying to accomplish and what we're trying to do through
[51:28.720 --> 51:36.440]  ACI. I'm very proud of that. Yeah, it's wonderful. It's something that I think is really going to
[51:36.440 --> 51:40.140]  make a difference. And that's, that's very exciting. I'm excited to be proud of it or to
[51:40.140 --> 51:50.780]  be part of it. Sid, what are your, what are your thoughts? Well, I, I want to say that COVID-19
[51:51.240 --> 51:54.760]  obviously has affected the aviation industry. It's transforming,
[51:55.320 --> 52:00.260]  it's going to transform how we travel. It's going to change so many things. And
[52:01.960 --> 52:05.380]  we're, you know, we're going through a change right now as an aviation industry,
[52:05.980 --> 52:11.520]  but that does not mean we ignore the cyber threats. The work we are doing here
[52:12.840 --> 52:19.260]  on this panel and the work I do through the ACI is incredibly important.
[52:20.220 --> 52:27.120]  The cyber threats are real from both state and non-state actors. It's a combination of physical
[52:27.120 --> 52:33.280]  security and cybersecurity and the information technology and operational technology,
[52:33.280 --> 52:40.220]  safety, security, all of that. And the ecosystem is a vast complex network. So
[52:41.120 --> 52:46.960]  there's a lot of vulnerabilities to it. A cyber breach can happen anytime.
[52:47.260 --> 52:52.740]  There are threats out there and an attack can cause millions of dollars of damage
[52:52.740 --> 53:00.180]  and a loss of reputation. So it can shake public confidence. It can change again,
[53:00.180 --> 53:05.740]  the nature of flying. So we cannot ignore it. I think the work we're doing is super important
[53:05.740 --> 53:11.160]  and I'm privileged and I feel lucky to be part of this team of so many smart people
[53:11.660 --> 53:17.040]  who are doing such incredible work. So thank you for having me. You have my contact information,
[53:17.040 --> 53:25.240]  so I urge you all to reach out to me anytime. Awesome. John?
[53:30.260 --> 53:39.140]  So, you know, the last year has been interesting and we have got much more of a focus at Boeing on this.
[53:39.440 --> 53:44.020]  We do daily report outs to the board of directors. In fact, we have a champion on our board.
[53:44.060 --> 53:50.960]  We are leveraging our enterprise to not only help us with incident response, but helping
[53:50.960 --> 53:57.120]  to beef up our design guides. We have expanded our product
[53:58.500 --> 54:04.460]  cert team and we're being much more proactive at looking at things.
[54:05.360 --> 54:11.340]  And then we're looking at things across board. How do you create a process to evaluate threats
[54:11.340 --> 54:17.160]  and risks? And we're looking into that. We're actually working with industry and the government
[54:17.660 --> 54:23.640]  on, you know, how do we do that effectively? But key is we're really starting to engage outside
[54:23.640 --> 54:29.340]  of aerospace. And I think that's going to be the thing that really helps us the most. You know,
[54:29.340 --> 54:34.980]  the tech council is one, but participation at DEF CON so we can build those relationships,
[54:34.980 --> 54:39.760]  RSA conferences, et cetera. So it's pretty exciting. It's really exciting right now
[54:39.760 --> 54:46.920]  and a little uncomfortable, but it's good. So thanks. Yeah. Embrace the uncomfort.
[54:48.100 --> 54:54.520]  Jen? Katie, I'm honestly kind of blown away. You know, I think the whole purpose of the
[54:54.520 --> 55:00.940]  Aerospace Village is to increase understanding and appreciation of the importance of cyber
[55:00.940 --> 55:07.800]  security in aviation and to do so in a way that builds trust between the security community,
[55:07.800 --> 55:14.100]  the aviation industry and the government, which all play a very, very important role in advancing
[55:14.100 --> 55:19.080]  cyber security in aviation. And when I sit and I listen to my panel of panelists talking about
[55:19.080 --> 55:22.920]  some of the amazing initiatives they've got going on and hear their attitudes and their responses
[55:22.920 --> 55:28.220]  to the research and that kind of stuff, I just, I feel like we're in such a dramatically different
[55:28.220 --> 55:34.180]  position to where we were a couple of years ago. And I hear people saying that they want to hear
[55:34.180 --> 55:37.060]  from the research community. They want to hear from the security community. They want to partner
[55:37.060 --> 55:43.100]  and collaborate. And that is, that's an incredible opportunity. And I hope that anybody listening,
[55:43.100 --> 55:48.000]  particularly people who are participating in security research in some way, that they get a lot
[55:48.000 --> 55:52.380]  of hope and optimism from this and feel that they can engage and that they can build trust,
[55:52.380 --> 56:02.820]  they can build empathy and they can get involved. Yeah, it's very exciting. The trust and the
[56:02.820 --> 56:07.080]  relationships, I think, are some of the most important factors in all of this. It's
[56:07.080 --> 56:13.520]  getting involved. So yeah, getting involved. Jeff, information sharing, what have you got?
[56:14.060 --> 56:18.800]  Oh, thanks a lot. I think this has been a great discussion. And, you know, we only went through
[56:18.800 --> 56:25.820]  one example. But at the Aviation ISAC, we've had several of these events happen over the last
[56:25.820 --> 56:31.160]  couple of years. And each one of them pretty much follows this pattern of building a great
[56:31.160 --> 56:37.080]  relationship with a security researcher, finding out, you know, what a vulnerability is that
[56:37.080 --> 56:42.200]  they've discovered, and then going through that validation process of, you know, is it really
[56:42.200 --> 56:48.120]  an issue? Or isn't it an issue? And then, you know, working through the remediations and
[56:48.120 --> 56:53.380]  disclosures when those have to happen. And, you know, likewise, we have found this to be
[56:53.920 --> 57:01.180]  incredibly eye opening. And, I mean, so much so with the researchers, we've even hired one, which
[57:01.800 --> 57:08.380]  helps us tremendously, particularly in the work that we're doing now. So I am glad that
[57:09.120 --> 57:14.760]  there's been kind of this breakthrough and that we're seeing, you know, the bridge is being built,
[57:14.760 --> 57:23.240]  and I only think it's going to get better. Awesome. Al, what are your closing remarks,
[57:23.240 --> 57:28.520]  closing thoughts? Okay, hey, Katie. So kind of echoing across the board, I think the most
[57:28.520 --> 57:33.720]  important thing is one is we have to recognize that the threat is real. And we should learn
[57:33.720 --> 57:38.780]  from the maritime sector's NoPetya attack. We shouldn't have to wait until a serious cyber
[57:38.780 --> 57:46.100]  attack of our own on the aviation ecosystem occurs. And the key to preventing that is to embrace the
[57:46.100 --> 57:52.120]  idea that there's safety in the herd. You know, we need to strengthen the aviation herd, you know,
[57:52.120 --> 57:57.440]  by continuing to share information, vulnerabilities, and work together to address those
[57:57.440 --> 58:02.540]  vulnerabilities to improve our aviation cybersecurity and resilience. And so threats
[58:02.540 --> 58:10.000]  real, and there's safety in the herd. Terribly true. Very true. So I guess my closing remarks,
[58:10.000 --> 58:16.340]  then, I will say that the thing that I take away from all of these things is that I go back to
[58:16.340 --> 58:20.900]  coordinated vulnerability disclosure. And I say that coordinated vulnerability disclosure is an
[58:20.900 --> 58:26.320]  essential part of any security research. I think that everyone here and everyone that I've met,
[58:26.320 --> 58:30.580]  from varying backgrounds all over the world, everyone has the same goal. We may not all speak
[58:30.580 --> 58:35.640]  the same language. We may talk past each other. But I think ultimately, we have the same goal.
[58:35.640 --> 58:39.660]  And that goal is protecting the end user. It's reducing risk and making people safer.
[58:39.820 --> 58:45.260]  And so I think the last thing that anybody wants is to inadvertently put countless people's lives
[58:45.260 --> 58:51.140]  at risk, economic situation at risk, because we published a roadmap that if that fell into the
[58:51.140 --> 58:56.620]  wrong hands could just wreak havoc. So I go for coordinated vulnerability disclosure because it
[58:56.620 --> 59:03.900]  really is a balancing act. It's a process that allows us to mitigate or to balance while we're
[59:03.900 --> 59:12.820]  trying to mitigate. So that's my closing advice. I feel like all of the progress that we've made
[59:12.820 --> 59:19.280]  is so wonderful. We have a long way to go. I love the fact that we're all talking to each other
[59:19.280 --> 59:25.140]  and we're working together. But I want to make sure we know that there is a road ahead of us.
[59:25.140 --> 59:33.320]  That road to me, the future looks bright and I'm excited for it. So thank you guys for coming to
[59:33.320 --> 59:39.300]  the panel and listening to us. And if you have any questions, our contact information is up.
[59:39.320 --> 59:43.200]  I think there's going to be an opportunity for some live chat later at some point. So
[59:43.200 --> 59:47.180]  you'll be able to find out more information about that. If you have any questions or want to talk
[59:47.180 --> 59:52.480]  more to us, please feel free to reach out. I think everyone here would invite a conversation.
[59:52.480 --> 01:00:01.380]  It was great talking to everybody today. Thank you.
